- We define Memory Addressing Bugs (MAD) as follows:
- The pointer to an object is initialized, repositioned, or reassigned to an
improper memory address.
- Fig. 1 depicts MAD causes, attributes and consequences.
Fig 1. Memory Addressing Bugs (MAD) Class - click on image for detailed view.
-
The MAD operations are: Initialize (Pointer), Reassign, Reposition. They reflect improper formation of an
address.
| Operation Value | Definition |
|---|---|
| Initialize (pointer) | The first assign of an object address to a pointer; positions the pointer at the start of the object. |
| Reposition | Changes the pointer to another position inside its object. |
| Reassign | Changes the pointer to a different object. |
- The graph of causes shows that there are three main causes for memory addressing bugs: Improper Operation,
Improper Pointer, and Improper Object.
| Improper Operation | |
|---|---|
| Value | Definition |
| Missing | The operation is absent. |
| Mismatched | The deallocation function does not match the allocation function used for the same object. |
| Erroneous | There is a bug in the implementation of the operation. |
| Improper Pointer | |
|---|---|
| Value | Definition |
| NULL Pointer | Points to the zero address, a specific invalid address. |
| Wild Pointer | Points to an arbitrary address, because it has not been initialized or an erroneous allocation routine is used. |
| Dangling Pointer | Still points to the address of its successfully deallo- cated object. |
| Over Bounds | Points over the bounds of its object. |
| Under Bounds | Points under the bounds of its object. |
| Untrusted Pointer | The pointer is modified to an improperly checked address. |
| Wrong Position | Points to a miscalculated position inside object bounds. |
| Hardcoded Address | The pointer points a wrong specific address. |
| Casted Pointer | The pointer does not match the type of the object, due to wrong type casting. |
| Improper Object | |
|---|---|
| Value | Definition |
| Wrong Size Used | The value used as size does not match the real size of the object. |
| Not Enough Allocated | The allocated memory is too little for the data it should store. |
- The graph of consequences shows Improper Pointer for Next Operation as a consequence which means a MAD
bug is always followed by another memory bug (such as MAL, MUS, MDL)
| Improper Pointer for Next Operation | |
|---|---|
| Value | Definition |
| NULL Pointer | Points to the zero address, a specific invalid address. |
| Wild Pointer | Points to an arbitrary address, because it has not been initialized or an erroneous allocation routine is used. |
| Dangling Pointer | Still points to the address of its successfully deallo- cated object. |
| Over Bounds | Points over the bounds of its object. |
| Under Bounds | Points under the bounds of its object. |
| Untrusted Pointer | The pointer is modified to an improperly checked address. |
| Wrong Position | Points to a miscalculated position inside object bounds. |
| Casted Pointer | The pointer does not match the type of the object, due to wrong type casting. |
| Forbidden Address | The pointer points to an OS protected or non-existing address. |
- The attributes of MAD are:
| Name | Value | Definition |
|---|---|---|
| Mechanism | Direct | The operation is performed over a particular object element. |
| Sequential | The operation is performed after iterating over the object elements. | |
| Source Code | Codebase | The operation is in programmer’s code – in the application itself. |
| Third Party | The operation is in a third party library. | |
| Standard Library | The operation is in the standard library for a particular programming language. | |
| Language Processor | The operation is in the tool that allows execution or creates executable (compiler, assembler, interpreter). | |
| Execution Space | Userland | The bugged code runs in an environment with privilege levels, but in unprivileged mode (e.g., ring 3 in x86 architecture). |
| Kernel | The bugged code runs in an environment with privilege levels with access privileged instruc- tions (e.g., ring 0 in x86 architecture). | |
| Bare-Metal | The bugged code runs in an environment with-out privilege control. Usually, the program is the only software running and has total access to the hardware. | |
| Location | Stack | The object is a non-static local variable (defined in a function, a passed parameters, or a function return address). |
| Heap | The object is a dynamically allocated data structure (e.g., via malloc() and new). |
- MAD sites are any changes to an owner via assignment (
=) or repositioning via an index
([]) or pointer arithmetics (e.g., p++ and p--).- Application examples are provided here.